From c38a1c52e986de025d6f2956d6e8628873ca9502 Mon Sep 17 00:00:00 2001 From: Daniel Pimenta Date: Tue, 19 Dec 2023 00:01:14 +0000 Subject: [PATCH] Fix bugs --- app/models/permissions.py | 14 +-- app/routers/clients_permissions.py | 6 +- app/routers/clients_policies.py | 131 ++++++++++++++++++++--------- requirements.txt | 2 +- 4 files changed, 103 insertions(+), 50 deletions(-) diff --git a/app/models/permissions.py b/app/models/permissions.py index 6594de0..a7fe0c9 100644 --- a/app/models/permissions.py +++ b/app/models/permissions.py @@ -40,17 +40,12 @@ class ScopePermission(APIBaseModel): description: Optional[str] = Field(description="Scope policy description") -class Group(APIBaseModel): - id: str = Field(description="Group id") - path: str = Field(description="Group path") - - class GroupPermission(APIBaseModel): logic: Optional[Logic] = Field(Logic.POSITIVE, description="Logic to apply, either POSITIVE or NEGATIVE") decisionStrategy: Optional[DecisionStrategy] = Field(DecisionStrategy.UNANIMOUS.value, description="Decision strategy to decide how to apply permissions") name: str = Field(description="Group policy name") - groups: List[Group] = Field(description="Group policy groups") + groups: List[str] = Field(description="Group policy groups") groupsClaim: Optional[str] = Field(description="Group policy groups claim") description: Optional[str] = Field(description="Group policy description") @@ -67,6 +62,7 @@ class RegexPermission(APIBaseModel): class Role(APIBaseModel): id: str = Field(description="Role id") + required: bool = Field(description="Required") class RolePermission(APIBaseModel): @@ -144,6 +140,7 @@ class UserPermission(APIBaseModel): description="Decision strategy to decide how to apply permissions") name: str = Field(description="User policy name") users: List[str] = Field(description="User policy users list") + description: Optional[str] = Field(description="User policy description") class ModifyClientPermission(ClientPermission): @@ -204,4 +201,7 @@ class ResourceBasedPermission(APIBaseModel): description="Decision strategy to decide how to apply permissions") name: str = Field(description="Resource based permission name") resources: List[str] = Field(description="Resource based permission resources") - policies: List[str] = Field(description="Resource based permission policies") \ No newline at end of file + policies: List[str] = Field(description="Resource based permission policies") + +class ManagementPermission(APIBaseModel): + enabled: bool = Field(description="Management enabled/disabled") \ No newline at end of file diff --git a/app/routers/clients_permissions.py b/app/routers/clients_permissions.py index b150924..e189866 100644 --- a/app/routers/clients_permissions.py +++ b/app/routers/clients_permissions.py @@ -1,7 +1,7 @@ from fastapi import APIRouter from app.keycloak_client import keycloak -from app.models.permissions import ResourceBasedPermission +from app.models.permissions import ResourceBasedPermission, ManagementPermission router = APIRouter( prefix="/{client_id}/permissions", @@ -18,6 +18,10 @@ def get_client_authz_permissions(client_id: str): def get_client_management_permissions(client_id: str): return keycloak.get_client_management_permissions(client_id) +@router.put("/management") +def get_client_management_permissions(client_id: str, managementPermission: ManagementPermission): + return keycloak.update_client_management_permissions(client_id, managementPermission.model_dump()) + @router.get("/resources") def get_client_resource_permissions(client_id: str): diff --git a/app/routers/clients_policies.py b/app/routers/clients_policies.py index 9f28454..0e5175a 100644 --- a/app/routers/clients_policies.py +++ b/app/routers/clients_policies.py @@ -23,70 +23,119 @@ def get_client_authz_policies(client_id: str): @router.post("/client") -def create_client_policy(client_id: str, client_policy: ClientPermission): - client_policy = client_policy.model_dump() - client_policy["type"] = "client" - return keycloak.register_client_policy(client_id, client_policy) +def create_client_policy(client_id: str, policy: ClientPermission): + policy = policy.model_dump() + policy["type"] = "client" + return keycloak.register_client_policy(client_id, policy) @router.post("/aggregated") -def create_aggregated_policy(client_id: str, aggregated_policy: AggregatedPermission): - aggregated_policy = aggregated_policy.model_dump() - aggregated_policy["type"] = "aggregated" - return keycloak.register_aggregated_policy(client_id, aggregated_policy) +def create_aggregated_policy(client_id: str, policy: AggregatedPermission): + policy = policy.model_dump() + policy["type"] = "aggregated" + return keycloak.register_aggregated_policy(client_id, policy) @router.post("/scope") -def create_client_scope_policy(client_id: str, scope_policy: ScopePermission): - scope_policy = scope_policy.model_dump() - scope_policy["type"] = "scope" - return keycloak.register_client_scope_policy(client_id, scope_policy) +def create_client_scope_policy(client_id: str, policy: ScopePermission): + policy = policy.model_dump() + policy["type"] = "scope" + return keycloak.register_client_scope_policy(client_id, policy) @router.post("/group") -def create_group_policy(client_id: str, group_policy: GroupPermission): - group_policy = group_policy.model_dump() - group_policy["type"] = "group" - return keycloak.register_group_policy(client_id, group_policy) +def create_group_policy(client_id: str, policy: GroupPermission): + policy = policy.model_dump() + policy["type"] = "group" + return keycloak.register_group_policy(client_id, policy) @router.post("/regex") -def create_regex_policy(client_id: str, regex_policy: RegexPermission): - regex_policy = regex_policy.model_dump() - regex_policy["type"] = "regex" - return keycloak.register_regex_policy(client_id, regex_policy) +def create_regex_policy(client_id: str, policy: RegexPermission): + policy = policy.model_dump() + policy["type"] = "regex" + return keycloak.register_regex_policy(client_id, policy) @router.post("/role") -def create_role_policy(client_id: str, role_policy: RolePermission): - role_policy = role_policy.model_dump() - role_policy["type"] = "role" - return keycloak.register_role_policy(client_id, role_policy) +def create_role_policy(client_id: str, policy: RolePermission): + policy = policy.model_dump() + policy["type"] = "role" + return keycloak.register_role_policy(client_id, policy) @router.post("/time") def create_time_policy(client_id: str, - time_policy: RelativeTimePermission | DayMonthTimePermission | MonthTimePermission | + policy: RelativeTimePermission | DayMonthTimePermission | MonthTimePermission | YearTimePermission | HourTimePermission | MinuteTimePermission): - time_policy = time_policy.model_dump() - time_policy["type"] = "time" - return keycloak.register_time_policy(client_id, time_policy) + policy = policy.model_dump() + policy["type"] = "time" + return keycloak.register_time_policy(client_id, policy) @router.post("/user") -def create_user_policy(client_id: str, user_policy: UserPermission): - user_policy = user_policy.model_dump() - user_policy["type"] = "user" - return keycloak.register_user_policy(client_id, user_policy) - - -@router.put("/{policy_id}") -def update_policy(client_id: str, policy_id: str, - policy: ModifyClientPermission | ModifyAggregatedPermission | ModifyScopePermission | - ModifyRegexPermission | ModifyRolePermission | ModifyRelativeTimePermission | ModifyDayMonthTimePermission | - ModifyMonthTimePermission | ModifyYearTimePermission | ModifyHourTimePermission | ModifyMinuteTimePermission | - ModifyUserPermission): - return keycloak.update_policy(client_id, policy_id, policy.model_dump()) +def create_user_policy(client_id: str, policy: UserPermission): + policy = policy.model_dump() + policy["type"] = "user" + return keycloak.register_user_policy(client_id, policy) + + +@router.put("/client/{policy_id}") +def update_client_policy(client_id: str, policy_id: str, policy: ClientPermission): + policy = policy.model_dump() + policy["type"] = "client" + return keycloak.update_policy(client_id, policy_id, policy) + + +@router.put("/aggregated/{policy_id}") +def update_aggregated_policy(client_id: str, policy_id: str, policy: AggregatedPermission): + policy = policy.model_dump() + policy["type"] = "aggregated" + return keycloak.update_policy(client_id, policy_id, policy) + + +@router.put("/scope/{policy_id}") +def update_client_scope_policy(client_id: str, policy_id: str, policy: ScopePermission): + scope_policy = policy.model_dump() + scope_policy["type"] = "scope" + return keycloak.update_policy(client_id, policy_id, policy) + + +@router.put("/group/{policy_id}") +def update_group_policy(client_id: str, policy_id: str, policy: GroupPermission): + group_policy = policy.model_dump() + group_policy["type"] = "group" + return keycloak.update_policy(client_id, policy_id, policy) + + +@router.put("/regex/{policy_id}") +def update_regex_policy(client_id: str, policy_id: str, policy: RegexPermission): + policy = policy.model_dump() + policy["type"] = "regex" + return keycloak.update_policy(client_id, policy_id, policy) + + +@router.put("/role/{policy_id}") +def update_role_policy(client_id: str, policy_id: str, policy: RolePermission): + policy = policy.model_dump() + policy["type"] = "role" + return keycloak.update_policy(client_id, policy_id, policy) + + +@router.put("/time/{policy_id}") +def update_time_policy(client_id: str, policy_id: str, + policy: RelativeTimePermission | DayMonthTimePermission | MonthTimePermission | + YearTimePermission | HourTimePermission | MinuteTimePermission): + policy = policy.model_dump() + policy["type"] = "time" + return keycloak.update_policy(client_id, policy_id, policy) + + +@router.put("/user/{policy_id}") +def update_user_policy(client_id: str, policy_id: str, policy: UserPermission): + policy = policy.model_dump() + policy["type"] = "user" + return keycloak.update_policy(client_id, policy_id, policy) @router.delete("/{policy_id}") diff --git a/requirements.txt b/requirements.txt index 0ca78ab..d6c9662 100644 --- a/requirements.txt +++ b/requirements.txt @@ -7,4 +7,4 @@ retry==0.9.2 urllib3==2.0.7 pydantic==2.5.0 pydantic-settings==2.1.0 -identityutils @ git+https://github.com/eoepca/um-identity-service@v1.0.9 \ No newline at end of file +identityutils @ git+https://github.com/eoepca/um-identity-service@v1.0.10 \ No newline at end of file